Splunk Search

Mapping id and name from lookup csv

alanhodreamshub
Explorer

Hello experts,

My splunk search can return only a list of group IDs, but group names can only be found separately

there is a groups.csv file which maps id and name

groupid,groupname,
"a1234", "apple",
"b2345","balloons",
"c1144","cats"

How can I write the query to return group id and the corresponding group name

index=myidx type=groups 
| table _time groupid groupname

Thanks a lot!

 

Labels (1)
0 Karma
1 Solution

jwalthour
Communicator

Try this:

index=myidx type=groups
| lookup groups.csv groupid AS ‘request.groupid’ OUTPUTNEW groupname
| table _time request.groupid groupname

View solution in original post

alanhodreamshub
Explorer

my bad, i should be more precise. 

index=myidx type=groups 
| table _time request.groupid groupname

this will return:

_timerequest.groupidgroupname
2021-11-01 15:33"a1234" 
2021-11-01 15:33"b2345" 
2021-11-01 15:33"c1144"
 


groups.csv: 

groupid,groupname,
"a1234", "apple",
"b2345","balloons",
"c1144","cats"

How can i map request.groupid with the groupname (associated to groupid) in groups.csv

0 Karma

jwalthour
Communicator

Try this:

index=myidx type=groups
| lookup groups.csv groupid AS ‘request.groupid’ OUTPUTNEW groupname
| table _time request.groupid groupname

alanhodreamshub
Explorer

Thanks!

0 Karma

vhharanpositka
Path Finder

Hi @alanhodreamshub 

 

You have to include the lookup life in the search for mapping the id and name.

Try this one

Search:

index=myidx type=groups | lookup groups.csv groupid OUTPUT groupname
| table _time groupid groupname

0 Karma

jwalthour
Communicator

How about:

index=myidx type=groups
| lookup groups.csv groupid OUTPUTNEW groupname
| table _time groupid groupname

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...